1. There are two links (Link1 and Link2) between SiteA and SiteB.2. For each site, a pair of SSG140 with active/active resilience is configured. Each SSG140 has one link.3. IPSec VPN (3DES) is built on Link1 and Link2 with SSG140.4. On each site, there are two setments(setmentA & setmentB). We need to extend the two setments from SiteA to SiteB.5. SetmentA will use Link1 as primary and Link2 as backup link. SetmentB will use Link2 as primary and Link1 as backup link.6. One each site, a pair of 3560(for resilience) will route the traffic from to one of the SSG140 for each setment. Thus, there are four 3560 on each site.

As described in the attachment, I am also thinking the below setup...

SiteA-SegmentA will select linkA, which is connected to SSG140A to access SiteB-SegmentA as primary, SSG140B is used as backup with static route.

SiteA-SegmentB will select LinkB, which is connected to SSG140B to access SiteB-SegmentB as primary, SSG140A is used as backup with static route.

Thus, though SSG140A and SSG140B are configured independent. The static route on switches will switch the traffic from primary to secondary link in case of primary link failure.

Compare with configuring the SSG140 in active/active, is it more reliable? As people told me active/active is seldom employed in real life case.

Re: SSG 140 VPN

I would not use active/active it tends to be problematic, use active/passive. Also I would use one link as primary and the other as backup. Such as, a primary DS3 with a shadow backup. You might be over engineering this, and making it more complex than it has to be, my two cents.